b'HHS/OIG-Audit--"Monitoring of Personally Identifiable Information on Users of Departmental Internet Sites, (A-01-01-03000)"\nDepartment\nof Health and Human Services\nOffice of Inspector General -- AUDIT\n"Monitoring of Personally Identifiable Information on Users of Departmental Internet Sites," (A-01-01-03000)\nApril 16, 2001\nComplete\nText of Report is available in PDF format (761 kb). Copies can also be obtained by contacting the Office of Public\nAffairs at 202-619-1343.\nEXECUTIVE SUMMARY:\nThis final report provides results of our review of the Department\'s monitoring of personally identifiable information\non users of its web sites. Contrary to departmental policy, we found that four operating divisions collected such information\nthrough the use of persistent cookies, without obtaining the required Secretarial prior approval, and did not warn the\nuser that such information was being collected. We also found that 21 of the Department\'s web sites designed for children\ndid not contain a privacy statement or a link to a privacy statement as required by the Children\'s Online Privacy Protection\nAct (COPPA). We recommended that current departmental policy be amended to require frequent review of web sites to detect\nthe use of persistent cookies and that the persistent cookies we detected be immediately disabled. We also recommended\nthat the Department direct the Chief Information Officers (CIOs) of the operating divisions to ensure that web sites do\nnot use persistent cookies without the proper waiver form the Secretary, and that the web sites for children are in compliance\nwith the COPPA. Finally, we recommended that all web site originators be required to certify to their respective CIOs that\nthey are in compliance with applicable laws.'